Saturday, May 2, 2009

Y****n Information Station

Some software is secure, some is free, some excels in usability, other provides an unique functionality. And then there is the y****n (Oh, in case you didn't know, y****n is an information station software used by numerous higher education institutions). Whoever was responsible for usability tests on this thing should be kicked in the head $#@%#&!
No seriously, this thing should be a practical example on how not to do software development. I dare the developer to try to use y****n forum system!
But I digress. Let's discuss the interesting stuff...

Here is a nice example on why securing communications with SSL over a crappy infrastructure == waste of effort (and money, those certificates are not cheap).

In y****n user logs-in over HTTPS, gets assigned a cookie and then can navigate through the site using URL parameters, something like this:

https://y****n.****.ac.il/y****n/fireflyweb.aspx?appname=BSHITA&prgname=Menu&arguments=-N123456789,-A,-N012983489321984,-N0018,

What's interesting is that the very first argument -N123456789 which is used to identify the user when querying the database is actually the student teudat zehut number. Upon receiving a query the server only verifies that the user 123456789 is currently logged-in, but not that the id matches actual user who made the query. In fact one does not even need to be authenticated on the server to send a query. This essentially means that we could perform queries for any logged-in user within his privilege level.

For example, we could extract someone else`s exam sheet:

https://y****n.****.ac.il/y****n/fireflyweb.aspx?APPNAME=BSHITA&PRGNAME=NoteBooks_Open_Do&ARGUMENTS=-N[ID]-AH,-N[YYYY],-N1,-N[COURSEID][YY][MM],-N00,-N00[COURSEID],-N0001,-N1,-A&LineNo=1&Stat=U&LastPark=&IndexNo=&TaskDefinition=

where:
[ID] - student id
[YYYY] - current year
[COURSEID] - course id
[YYMM] - semester's starting date (two digit year/month format)



UPDATE: since this has a potential for abuse and me dislikes lawsuits the software name has been removed. sorry folks.
Posted by at No comments:
Subscribe to: Posts (Atom)